Wincollect will not install correctly

Im trying to install Wincollect on a 2008 and 2012 server. On both servers the installation completes successfully and no errors are generated on both the server and qradar. I am able to look in the console web interface and see the agent as active and running. I am also able to see the heartbeat messages coming from the agent. However I am not receiving any logs from the agent. I have tried both 7.2.7 and 7.2.8 to see if version made a difference but the problem occurs on both. From what I can tell the agent-config.xml file is not being populated with a destination. In the the wincollect log file I do see a message saying "There is no active destinations specified in the config file, therefore all results will be discarded". The problem seems to be that agent-config.xml file not being populated with the information it needs, but I cannot seem to figure out why and removing and reinstalling has not seemed to fix the issue. Any suggestions?

2 answers

I guessing that you installed in Managed mode based on you saying you can see the Agent in the QRadar web interface? If you double click on that agent it should show you which log sources that are tied to it. "This WinCollect Agent is collecting events from X Log Sources"

If it's not attached to any log sources you won't get any events. Otherwise go in an create a new log source and attach it to that agent. You can have this part automatically setup as part of the install but you first need to create a destination. And then use the Destination name in the install, which in this case is "local" see image

@Jamie W (IBM) Thanks for the quick reply. Yes these Wincollect agents are being deployed managed. I have looked at the configuration settings you have suggested and It seems to make it a little bit farther, but the problem with the agent-config.xml file remains. I added my event collector in as a destination. Then I installed the Wincollect agent on the windows server and configured the log source to send to the Destination name that I just created. When I finish the install, the wincollect agent is added in the console, and the windows event log source is created in my log sources. I also start receiving heartbeat events from the Windows server. However I still cannot receive any windows logs. The Wincollect log on the Windows server still generates the "There is no active destinations specified in the config file, therefore all results will be discarded" error and the agent-config.xml file does not contain the name of the destination I created. For whatever reason the installer does not seem to put that information into the xml file.

Can you send me your agentconfig.xml (from the config folder, also please GDPR the data before attaching). And any errors that you might see in the wincollect.log file (log folder) (assuming you are running 7.2.8)